search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r13264: Move declaration before code.
[Samba.git] / source / dsdb / samdb / cracknames.c
blob8cc95e503cd7ac536631eda4bbe1406273fecd25
1 /*
2 Unix SMB/CIFS implementation.
3
4 endpoint server for the drsuapi pipe
5 DsCrackNames()
6
7 Copyright (C) Stefan Metzmacher 2004
8 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 */
24
25 #include "includes.h"
26 #include "librpc/gen_ndr/ndr_drsuapi.h"
27 #include "rpc_server/common/common.h"
28 #include "lib/ldb/include/ldb_errors.h"
29 #include "system/kerberos.h"
30 #include "auth/kerberos/kerberos.h"
31 #include "dsdb/samdb/samdb.h"
32 #include "libcli/ldap/ldap.h"
33 #include "auth/auth.h"
34
35 static WERROR DsCrackNameOneFilter(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
36 struct smb_krb5_context *smb_krb5_context,
37 uint32_t format_flags, uint32_t format_offered, uint32_t format_desired,
38 const struct ldb_dn *name_dn, const char *name,
39 const char *domain_filter, const char *result_filter,
40 struct drsuapi_DsNameInfo1 *info1);
41 static WERROR DsCrackNameOneSyntactical(TALLOC_CTX *mem_ctx,
42 uint32_t format_offered, uint32_t format_desired,
43 const struct ldb_dn *name_dn, const char *name,
44 struct drsuapi_DsNameInfo1 *info1);
45
46 static enum drsuapi_DsNameStatus LDB_lookup_spn_alias(krb5_context context, struct ldb_context *ldb_ctx,
47 TALLOC_CTX *mem_ctx,
48 const char *alias_from,
49 char **alias_to)
50 {
51 int i;
52 int ret;
53 struct ldb_result *res;
54 struct ldb_message_element *spnmappings;
55 TALLOC_CTX *tmp_ctx;
56 struct ldb_dn *service_dn;
57 char *service_dn_str;
58
59 const char *directory_attrs[] = {
60 "sPNMappings",
61 NULL
62 };
63
64 tmp_ctx = talloc_new(mem_ctx);
65 if (!tmp_ctx) {
66 return DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
67 }
68
69 service_dn = ldb_dn_string_compose(tmp_ctx, samdb_base_dn(mem_ctx),
70 "CN=Directory Service,CN=Windows NT"
71 ",CN=Services,CN=Configuration");
72 service_dn_str = ldb_dn_linearize(tmp_ctx, service_dn);
73
74 ret = ldb_search(ldb_ctx, service_dn, LDB_SCOPE_BASE, "(objectClass=nTDSService)",
75 directory_attrs, &res);
76
77 if (ret != LDB_SUCCESS) {
78 DEBUG(1, ("ldb_search: dn: %s not found: %s", service_dn_str, ldb_errstring(ldb_ctx)));
79 return DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
80 } else if (res->count > 1) {
81 talloc_free(res);
82 DEBUG(1, ("ldb_search: dn: %s found %d times!", service_dn_str, res->count));
83 return DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
84 }
85 talloc_steal(tmp_ctx, res);
86
87 spnmappings = ldb_msg_find_element(res->msgs[0], "sPNMappings");
88 if (!spnmappings || spnmappings->num_values == 0) {
89 DEBUG(1, ("ldb_search: dn: %s no sPNMappings attribute", service_dn_str));
90 talloc_free(tmp_ctx);
91 return DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
92 }
93
94 for (i = 0; i < spnmappings->num_values; i++) {
95 char *mapping, *p, *str;
96 mapping = talloc_strdup(tmp_ctx,
97 (const char *)spnmappings->values[i].data);
98 if (!mapping) {
99 DEBUG(1, ("LDB_lookup_spn_alias: ldb_search: dn: %s did not have an sPNMapping\n", service_dn_str));
100 talloc_free(tmp_ctx);
101 return DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
102 }
103
104 /* C string manipulation sucks */
105
106 p = strchr(mapping, '=');
107 if (!p) {
108 DEBUG(1, ("ldb_search: dn: %s sPNMapping malformed: %s\n",
109 service_dn_str, mapping));
110 talloc_free(tmp_ctx);
111 return DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
112 }
113 p[0] = '\0';
114 p++;
115 do {
116 str = p;
117 p = strchr(p, ',');
118 if (p) {
119 p[0] = '\0';
120 p++;
121 }
122 if (strcasecmp(str, alias_from) == 0) {
123 *alias_to = mapping;
124 talloc_steal(mem_ctx, mapping);
125 talloc_free(tmp_ctx);
126 return DRSUAPI_DS_NAME_STATUS_OK;
127 }
128 } while (p);
129 }
130 DEBUG(1, ("LDB_lookup_spn_alias: no alias for service %s applicable\n", alias_from));
131 talloc_free(tmp_ctx);
132 return DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
133 }
134
135 /* When cracking a ServicePrincipalName, many services may be served
136 * by the host/ servicePrincipalName. The incoming query is for cifs/
137 * but we translate it here, and search on host/. This is done after
138 * the cifs/ entry has been searched for, making this a fallback */
139
140 static WERROR DsCrackNameSPNAlias(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
141 struct smb_krb5_context *smb_krb5_context,
142 uint32_t format_flags, uint32_t format_offered, uint32_t format_desired,
143 const char *name, struct drsuapi_DsNameInfo1 *info1)
144 {
145 WERROR wret;
146 krb5_error_code ret;
147 krb5_principal principal;
148 const char *service;
149 char *new_service;
150 char *new_princ;
151 enum drsuapi_DsNameStatus namestatus;
152
153 /* parse principal */
154 ret = krb5_parse_name_norealm(smb_krb5_context->krb5_context,
155 name, &principal);
156 if (ret) {
157 DEBUG(2, ("Could not parse principal: %s: %s",
158 name, smb_get_krb5_error_message(smb_krb5_context->krb5_context,
159 ret, mem_ctx)));
160 return WERR_NOMEM;
161 }
162
163 /* grab cifs/, http/ etc */
164
165 /* This is checked for in callers, but be safe */
166 if (principal->name.name_string.len < 2) {
167 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
168 return WERR_OK;
169 }
170 service = principal->name.name_string.val[0];
171
172 /* MAP it */
173 namestatus = LDB_lookup_spn_alias(smb_krb5_context->krb5_context,
174 sam_ctx, mem_ctx,
175 service, &new_service);
176
177 if (namestatus != DRSUAPI_DS_NAME_STATUS_OK) {
178 info1->status = namestatus;
179 return WERR_OK;
180 }
181
182 if (ret != 0) {
183 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
184 return WERR_OK;
185 }
186
187 /* ooh, very nasty playing around in the Principal... */
188 free(principal->name.name_string.val[0]);
189 principal->name.name_string.val[0] = strdup(new_service);
190 if (!principal->name.name_string.val[0]) {
191 krb5_free_principal(smb_krb5_context->krb5_context, principal);
192 return WERR_NOMEM;
193 }
194
195 /* reform principal */
196 ret = krb5_unparse_name_norealm(smb_krb5_context->krb5_context, principal, &new_princ);
197
198 krb5_free_principal(smb_krb5_context->krb5_context, principal);
199
200 if (ret) {
201 return WERR_NOMEM;
202 }
203
204 wret = DsCrackNameOneName(sam_ctx, mem_ctx, format_flags, format_offered, format_desired,
205 new_princ, info1);
206 free(new_princ);
207 return wret;
208 }
209
210 /* Subcase of CrackNames, for the userPrincipalName */
211
212 static WERROR DsCrackNameUPN(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
213 struct smb_krb5_context *smb_krb5_context,
214 uint32_t format_flags, uint32_t format_offered, uint32_t format_desired,
215 const char *name, struct drsuapi_DsNameInfo1 *info1)
216 {
217 WERROR status;
218 const char *domain_filter = NULL;
219 const char *result_filter = NULL;
220 krb5_error_code ret;
221 krb5_principal principal;
222 char **realm;
223 char *unparsed_name_short;
224
225 /* Prevent recursion */
226 if (!name) {
227 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
228 return WERR_OK;
229 }
230
231 ret = krb5_parse_name_mustrealm(smb_krb5_context->krb5_context, name, &principal);
232 if (ret) {
233 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
234 return WERR_OK;
235 }
236
237 domain_filter = NULL;
238 realm = krb5_princ_realm(smb_krb5_context->krb5_context, principal);
239 domain_filter = talloc_asprintf(mem_ctx,
240 "(&(&(|(&(dnsRoot=%s)(nETBIOSName=*))(nETBIOSName=%s))(objectclass=crossRef))(ncName=*))",
241 ldb_binary_encode_string(mem_ctx, *realm),
242 ldb_binary_encode_string(mem_ctx, *realm));
243 ret = krb5_unparse_name_norealm(smb_krb5_context->krb5_context, principal, &unparsed_name_short);
244 krb5_free_principal(smb_krb5_context->krb5_context, principal);
245
246 if (ret) {
247 free(unparsed_name_short);
248 return WERR_NOMEM;
249 }
250
251 /* This may need to be extended for more userPrincipalName variations */
252 result_filter = talloc_asprintf(mem_ctx, "(&(objectClass=user)(samAccountName=%s))",
253 ldb_binary_encode_string(mem_ctx, unparsed_name_short));
254 if (!result_filter || !domain_filter) {
255 free(unparsed_name_short);
256 return WERR_NOMEM;
257 }
258 status = DsCrackNameOneFilter(sam_ctx, mem_ctx,
259 smb_krb5_context,
260 format_flags, format_offered, format_desired,
261 NULL, unparsed_name_short, domain_filter, result_filter,
262 info1);
263 free(unparsed_name_short);
264 return status;
265 }
266
267 /* Crack a single 'name', from format_offered into format_desired, returning the result in info1 */
268
269 WERROR DsCrackNameOneName(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
270 uint32_t format_flags, uint32_t format_offered, uint32_t format_desired,
271 const char *name, struct drsuapi_DsNameInfo1 *info1)
272 {
273 krb5_error_code ret;
274 const char *domain_filter = NULL;
275 const char *result_filter = NULL;
276 struct ldb_dn *name_dn = NULL;
277
278 struct smb_krb5_context *smb_krb5_context;
279 ret = smb_krb5_init_context(mem_ctx, &smb_krb5_context);
280
281 if (ret) {
282 return WERR_NOMEM;
283 }
284
285 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
286 info1->dns_domain_name = NULL;
287 info1->result_name = NULL;
288
289 if (!name) {
290 return WERR_INVALID_PARAM;
291 }
292
293 /* TODO: - fill the correct names in all cases!
294 * - handle format_flags
295 */
296
297 /* here we need to set the domain_filter and/or the result_filter */
298 switch (format_offered) {
299 case DRSUAPI_DS_NAME_FORMAT_CANONICAL: {
300 char *str;
301
302 str = talloc_strdup(mem_ctx, name);
303 WERR_TALLOC_CHECK(str);
304
305 if (strlen(str) == 0 || str[strlen(str)-1] != '/') {
306 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
307 return WERR_OK;
308 }
309
310 str[strlen(str)-1] = '\0';
311
312 domain_filter = talloc_asprintf(mem_ctx,
313 "(&(&(&(dnsRoot=%s)(objectclass=crossRef)))(nETBIOSName=*)(ncName=*))",
314 ldb_binary_encode_string(mem_ctx, str));
315 WERR_TALLOC_CHECK(domain_filter);
316
317 break;
318 }
319 case DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT: {
320 char *p;
321 char *domain;
322 const char *account = NULL;
323
324 domain = talloc_strdup(mem_ctx, name);
325 WERR_TALLOC_CHECK(domain);
326
327 p = strchr(domain, '\\');
328 if (!p) {
329 /* invalid input format */
330 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
331 return WERR_OK;
332 }
333 p[0] = '\0';
334
335 if (p[1]) {
336 account = &p[1];
337 }
338
339 domain_filter = talloc_asprintf(mem_ctx,
340 "(&(&(nETBIOSName=%s)(objectclass=crossRef))(ncName=*))",
341 ldb_binary_encode_string(mem_ctx, domain));
342 WERR_TALLOC_CHECK(domain_filter);
343 if (account) {
344 result_filter = talloc_asprintf(mem_ctx, "(sAMAccountName=%s)",
345 ldb_binary_encode_string(mem_ctx, account));
346 WERR_TALLOC_CHECK(result_filter);
347 }
348
349 talloc_free(domain);
350 break;
351 }
352
353 /* A LDAP DN as a string */
354 case DRSUAPI_DS_NAME_FORMAT_FQDN_1779: {
355 name_dn = ldb_dn_explode(mem_ctx, name);
356 domain_filter = NULL;
357 if (!name_dn) {
358 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
359 return WERR_OK;
360 }
361 break;
362 }
363
364 /* A GUID as a string */
365 case DRSUAPI_DS_NAME_FORMAT_GUID: {
366 struct GUID guid;
367 char *ldap_guid;
368 NTSTATUS nt_status;
369 domain_filter = NULL;
370
371 nt_status = GUID_from_string(name, &guid);
372 if (!NT_STATUS_IS_OK(nt_status)) {
373 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
374 return WERR_OK;
375 }
376
377 ldap_guid = ldap_encode_ndr_GUID(mem_ctx, &guid);
378 if (!ldap_guid) {
379 return WERR_NOMEM;
380 }
381 result_filter = talloc_asprintf(mem_ctx, "(objectGUID=%s)",
382 ldap_guid);
383 WERR_TALLOC_CHECK(result_filter);
384 break;
385 }
386 case DRSUAPI_DS_NAME_FORMAT_DISPLAY: {
387 domain_filter = NULL;
388
389 result_filter = talloc_asprintf(mem_ctx, "(|(displayName=%s)(samAccountName=%s))",
390 ldb_binary_encode_string(mem_ctx, name),
391 ldb_binary_encode_string(mem_ctx, name));
392 WERR_TALLOC_CHECK(result_filter);
393 break;
394 }
395
396 /* A S-1234-5678 style string */
397 case DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY: {
398 struct dom_sid *sid = dom_sid_parse_talloc(mem_ctx, name);
399 char *ldap_sid;
400
401 domain_filter = NULL;
402 if (!sid) {
403 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
404 return WERR_OK;
405 }
406 ldap_sid = ldap_encode_ndr_dom_sid(mem_ctx,
407 sid);
408 if (!ldap_sid) {
409 return WERR_NOMEM;
410 }
411 result_filter = talloc_asprintf(mem_ctx, "(objectSid=%s)",
412 ldap_sid);
413 WERR_TALLOC_CHECK(result_filter);
414 break;
415 }
416 case DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL: {
417 krb5_principal principal;
418 char *unparsed_name;
419 ret = krb5_parse_name(smb_krb5_context->krb5_context, name, &principal);
420 if (ret) {
421 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
422 return WERR_OK;
423 }
424
425 domain_filter = NULL;
426
427 ret = krb5_unparse_name(smb_krb5_context->krb5_context, principal, &unparsed_name);
428 if (ret) {
429 krb5_free_principal(smb_krb5_context->krb5_context, principal);
430 return WERR_NOMEM;
431 }
432
433 krb5_free_principal(smb_krb5_context->krb5_context, principal);
434 result_filter = talloc_asprintf(mem_ctx, "(&(objectClass=user)(userPrincipalName=%s))",
435 ldb_binary_encode_string(mem_ctx, unparsed_name));
436
437 free(unparsed_name);
438 WERR_TALLOC_CHECK(result_filter);
439 break;
440 }
441 case DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL: {
442 krb5_principal principal;
443 char *unparsed_name_short;
444 char *service;
445 ret = krb5_parse_name_norealm(smb_krb5_context->krb5_context, name, &principal);
446 if (ret) {
447 /* perhaps it's a principal with a realm, so return the right 'domain only' response */
448 char **realm;
449 ret = krb5_parse_name_mustrealm(smb_krb5_context->krb5_context, name, &principal);
450 if (ret) {
451 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
452 return WERR_OK;
453 }
454
455 /* This isn't an allocation assignemnt, so it is free'ed with the krb5_free_principal */
456 realm = krb5_princ_realm(smb_krb5_context->krb5_context, principal);
457
458 info1->dns_domain_name = talloc_strdup(info1, *realm);
459 krb5_free_principal(smb_krb5_context->krb5_context, principal);
460
461 WERR_TALLOC_CHECK(info1->dns_domain_name);
462
463 info1->status = DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY;
464 return WERR_OK;
465
466 } else if (principal->name.name_string.len < 2) {
467 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
468 return WERR_OK;
469 }
470
471 domain_filter = NULL;
472
473 ret = krb5_unparse_name_norealm(smb_krb5_context->krb5_context, principal, &unparsed_name_short);
474 if (ret) {
475 krb5_free_principal(smb_krb5_context->krb5_context, principal);
476 return WERR_NOMEM;
477 }
478
479 service = principal->name.name_string.val[0];
480 if ((principal->name.name_string.len == 2) && (strcasecmp(service, "host") == 0)) {
481 /* the 'cn' attribute is just the leading part of the name */
482 char *computer_name;
483 computer_name = talloc_strndup(mem_ctx, principal->name.name_string.val[1],
484 strcspn(principal->name.name_string.val[1], "."));
485 if (computer_name == NULL) {
486 return WERR_NOMEM;
487 }
488
489 result_filter = talloc_asprintf(mem_ctx, "(|(&(servicePrincipalName=%s)(objectClass=user))(&(cn=%s)(objectClass=computer)))",
490 ldb_binary_encode_string(mem_ctx, unparsed_name_short),
491 ldb_binary_encode_string(mem_ctx, computer_name));
492 } else {
493 result_filter = talloc_asprintf(mem_ctx, "(&(servicePrincipalName=%s)(objectClass=user))",
494 ldb_binary_encode_string(mem_ctx, unparsed_name_short));
495 }
496 krb5_free_principal(smb_krb5_context->krb5_context, principal);
497 free(unparsed_name_short);
498 WERR_TALLOC_CHECK(result_filter);
499
500 break;
501 }
502 default: {
503 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
504 return WERR_OK;
505 }
506
507 }
508
509 if (format_flags & DRSUAPI_DS_NAME_FLAG_SYNTACTICAL_ONLY) {
510 return DsCrackNameOneSyntactical(mem_ctx, format_offered, format_desired,
511 name_dn, name, info1);
512 }
513
514 return DsCrackNameOneFilter(sam_ctx, mem_ctx,
515 smb_krb5_context,
516 format_flags, format_offered, format_desired,
517 name_dn, name,
518 domain_filter, result_filter,
519 info1);
520 }
521
522 /* Subcase of CrackNames. It is possible to translate a LDAP-style DN
523 * (FQDN_1779) into a canoical name without actually searching the
524 * database */
525
526 static WERROR DsCrackNameOneSyntactical(TALLOC_CTX *mem_ctx,
527 uint32_t format_offered, uint32_t format_desired,
528 const struct ldb_dn *name_dn, const char *name,
529 struct drsuapi_DsNameInfo1 *info1)
530 {
531 char *cracked;
532 if (format_offered != DRSUAPI_DS_NAME_FORMAT_FQDN_1779) {
533 info1->status = DRSUAPI_DS_NAME_STATUS_NO_SYNTACTICAL_MAPPING;
534 return WERR_OK;
535 }
536
537 switch (format_desired) {
538 case DRSUAPI_DS_NAME_FORMAT_CANONICAL:
539 cracked = ldb_dn_canonical_string(mem_ctx, name_dn);
540 break;
541 case DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX:
542 cracked = ldb_dn_canonical_ex_string(mem_ctx, name_dn);
543 break;
544 default:
545 info1->status = DRSUAPI_DS_NAME_STATUS_NO_SYNTACTICAL_MAPPING;
546 return WERR_OK;
547 }
548 info1->status = DRSUAPI_DS_NAME_STATUS_OK;
549 info1->result_name = cracked;
550 if (!cracked) {
551 return WERR_NOMEM;
552 }
553
554 return WERR_OK;
555 }
556
557 /* Given a filter for the domain, and one for the result, perform the
558 * ldb search. The format offered and desired flags change the
559 * behaviours, including what attributes to return.
560 *
561 * The smb_krb5_context is required because we use the krb5 libs for principal parsing
562 */
563
564 static WERROR DsCrackNameOneFilter(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
565 struct smb_krb5_context *smb_krb5_context,
566 uint32_t format_flags, uint32_t format_offered, uint32_t format_desired,
567 const struct ldb_dn *name_dn, const char *name,
568 const char *domain_filter, const char *result_filter,
569 struct drsuapi_DsNameInfo1 *info1)
570 {
571 int ldb_ret;
572 struct ldb_message **domain_res = NULL;
573 const char * const *domain_attrs;
574 const char * const *result_attrs;
575 struct ldb_message **result_res = NULL;
576 const struct ldb_dn *result_basedn;
577
578 /* here we need to set the attrs lists for domain and result lookups */
579 switch (format_desired) {
580 case DRSUAPI_DS_NAME_FORMAT_FQDN_1779:
581 case DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX: {
582 const char * const _domain_attrs[] = { "ncName", "dnsRoot", NULL};
583 const char * const _result_attrs[] = { NULL};
584
585 domain_attrs = _domain_attrs;
586 result_attrs = _result_attrs;
587 break;
588 }
589 case DRSUAPI_DS_NAME_FORMAT_CANONICAL: {
590 const char * const _domain_attrs[] = { "ncName", "dnsRoot", NULL};
591 const char * const _result_attrs[] = { "canonicalName", NULL };
592
593 domain_attrs = _domain_attrs;
594 result_attrs = _result_attrs;
595 break;
596 }
597 case DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT: {
598 const char * const _domain_attrs[] = { "ncName", "dnsRoot", "nETBIOSName", NULL};
599 const char * const _result_attrs[] = { "sAMAccountName", "objectSid", NULL};
600
601 domain_attrs = _domain_attrs;
602 result_attrs = _result_attrs;
603 break;
604 }
605 case DRSUAPI_DS_NAME_FORMAT_GUID: {
606 const char * const _domain_attrs[] = { "ncName", "dnsRoot", NULL};
607 const char * const _result_attrs[] = { "objectGUID", NULL};
608
609 domain_attrs = _domain_attrs;
610 result_attrs = _result_attrs;
611 break;
612 }
613 case DRSUAPI_DS_NAME_FORMAT_DISPLAY: {
614 const char * const _domain_attrs[] = { "ncName", "dnsRoot", NULL};
615 const char * const _result_attrs[] = { "displayName", "samAccountName", NULL};
616
617 domain_attrs = _domain_attrs;
618 result_attrs = _result_attrs;
619 break;
620 }
621 default:
622 return WERR_OK;
623 }
624
625 if (domain_filter) {
626 /* if we have a domain_filter look it up and set the result_basedn and the dns_domain_name */
627 ldb_ret = gendb_search(sam_ctx, mem_ctx, NULL, &domain_res, domain_attrs,
628 "%s", domain_filter);
629 } else {
630 ldb_ret = gendb_search(sam_ctx, mem_ctx, NULL, &domain_res, domain_attrs,
631 "(ncName=%s)", ldb_dn_linearize(mem_ctx, samdb_base_dn(mem_ctx)));
632 }
633
634 switch (ldb_ret) {
635 case 1:
636 break;
637 case 0:
638 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
639 return WERR_OK;
640 case -1:
641 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
642 return WERR_OK;
643 default:
644 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE;
645 return WERR_OK;
646 }
647
648 info1->dns_domain_name = samdb_result_string(domain_res[0], "dnsRoot", NULL);
649 WERR_TALLOC_CHECK(info1->dns_domain_name);
650 info1->status = DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY;
651
652 if (result_filter) {
653 result_basedn = samdb_result_dn(mem_ctx, domain_res[0], "ncName", NULL);
654
655 ldb_ret = gendb_search(sam_ctx, mem_ctx, result_basedn, &result_res,
656 result_attrs, "%s", result_filter);
657 } else if (format_offered == DRSUAPI_DS_NAME_FORMAT_FQDN_1779) {
658 ldb_ret = gendb_search_dn(sam_ctx, mem_ctx, name_dn, &result_res,
659 result_attrs);
660 } else {
661 name_dn = samdb_result_dn(mem_ctx, domain_res[0], "ncName", NULL);
662 ldb_ret = gendb_search_dn(sam_ctx, mem_ctx, name_dn, &result_res,
663 result_attrs);
664 }
665
666 switch (ldb_ret) {
667 case 1:
668 break;
669 case 0:
670 switch (format_offered) {
671 case DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL:
672 return DsCrackNameSPNAlias(sam_ctx, mem_ctx,
673 smb_krb5_context,
674 format_flags, format_offered, format_desired,
675 name, info1);
676
677 case DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL:
678 return DsCrackNameUPN(sam_ctx, mem_ctx, smb_krb5_context,
679 format_flags, format_offered, format_desired,
680 name, info1);
681 }
682 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
683 return WERR_OK;
684 case -1:
685 info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
686 return WERR_OK;
687 default:
688 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE;
689 return WERR_OK;
690 }
691
692 /* here we can use result_res[0] and domain_res[0] */
693 switch (format_desired) {
694 case DRSUAPI_DS_NAME_FORMAT_FQDN_1779: {
695 info1->result_name = ldb_dn_linearize(mem_ctx, result_res[0]->dn);
696 WERR_TALLOC_CHECK(info1->result_name);
697
698 info1->status = DRSUAPI_DS_NAME_STATUS_OK;
699 return WERR_OK;
700 }
701 case DRSUAPI_DS_NAME_FORMAT_CANONICAL: {
702 info1->result_name = samdb_result_string(result_res[0], "canonicalName", NULL);
703 info1->status = DRSUAPI_DS_NAME_STATUS_OK;
704 return WERR_OK;
705 }
706 case DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX: {
707 /* Not in the virtual ldb attribute */
708 return DsCrackNameOneSyntactical(mem_ctx,
709 DRSUAPI_DS_NAME_FORMAT_FQDN_1779,
710 DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX,
711 result_res[0]->dn, name, info1);
712 }
713 case DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT: {
714 const struct dom_sid *sid = samdb_result_dom_sid(mem_ctx, result_res[0], "objectSid");
715 const char *_acc = "", *_dom = "";
716
717 if (!sid || (sid->num_auths < 4) || (sid->num_auths > 5)) {
718 info1->status = DRSUAPI_DS_NAME_STATUS_NO_MAPPING;
719 return WERR_OK;
720 }
721
722 if (sid->num_auths == 4) {
723 ldb_ret = gendb_search(sam_ctx, mem_ctx, NULL, &domain_res, domain_attrs,
724 "(ncName=%s)", ldb_dn_linearize(mem_ctx, result_res[0]->dn));
725 if (ldb_ret != 1) {
726 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
727 return WERR_OK;
728 }
729 _dom = samdb_result_string(domain_res[0], "nETBIOSName", NULL);
730 WERR_TALLOC_CHECK(_dom);
731
732 } else if (sid->num_auths == 5) {
733 const char *attrs[] = { NULL };
734 struct ldb_message **domain_res2;
735 struct dom_sid *dom_sid = dom_sid_dup(mem_ctx, sid);
736 if (!dom_sid) {
737 return WERR_OK;
738 }
739 dom_sid->num_auths--;
740 ldb_ret = gendb_search(sam_ctx, mem_ctx, NULL, &domain_res, attrs,
741 "(&(objectSid=%s)(objectClass=domain))", ldap_encode_ndr_dom_sid(mem_ctx, dom_sid));
742 if (ldb_ret != 1) {
743 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
744 return WERR_OK;
745 }
746 ldb_ret = gendb_search(sam_ctx, mem_ctx, NULL, &domain_res2, domain_attrs,
747 "(ncName=%s)", ldb_dn_linearize(mem_ctx, domain_res[0]->dn));
748 if (ldb_ret != 1) {
749 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
750 return WERR_OK;
751 }
752
753 _dom = samdb_result_string(domain_res2[0], "nETBIOSName", NULL);
754 WERR_TALLOC_CHECK(_dom);
755
756 _acc = samdb_result_string(result_res[0], "sAMAccountName", NULL);
757 WERR_TALLOC_CHECK(_acc);
758 }
759
760 info1->result_name = talloc_asprintf(mem_ctx, "%s\\%s", _dom, _acc);
761 WERR_TALLOC_CHECK(info1->result_name);
762
763 info1->status = DRSUAPI_DS_NAME_STATUS_OK;
764 return WERR_OK;
765 }
766 case DRSUAPI_DS_NAME_FORMAT_GUID: {
767 struct GUID guid;
768
769 guid = samdb_result_guid(result_res[0], "objectGUID");
770
771 info1->result_name = GUID_string2(mem_ctx, &guid);
772 WERR_TALLOC_CHECK(info1->result_name);
773
774 info1->status = DRSUAPI_DS_NAME_STATUS_OK;
775 return WERR_OK;
776 }
777 case DRSUAPI_DS_NAME_FORMAT_DISPLAY: {
778 info1->result_name = samdb_result_string(result_res[0], "displayName", NULL);
779 if (!info1->result_name) {
780 info1->result_name = samdb_result_string(result_res[0], "sAMAccountName", NULL);
781 }
782 if (!info1->result_name) {
783 info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
784 } else {
785 info1->status = DRSUAPI_DS_NAME_STATUS_OK;
786 }
787 return WERR_OK;
788 }
789 default:
790 return WERR_OK;
791 }
792
793 return WERR_INVALID_PARAM;
794 }
795
796 /* Given a user Principal Name (such as foo@bar.com),
797 * return the user and domain DNs. This is used in the KDC to then
798 * return the Keys and evaluate policy */
799
800 NTSTATUS crack_user_principal_name(struct ldb_context *sam_ctx,
801 TALLOC_CTX *mem_ctx,
802 const char *user_principal_name,
803 struct ldb_dn **user_dn,
804 struct ldb_dn **domain_dn)
805 {
806 WERROR werr;
807 struct drsuapi_DsNameInfo1 info1;
808 werr = DsCrackNameOneName(sam_ctx, mem_ctx, 0,
809 DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL,
810 DRSUAPI_DS_NAME_FORMAT_FQDN_1779,
811 user_principal_name,
812 &info1);
813 if (!W_ERROR_IS_OK(werr)) {
814 return werror_to_ntstatus(werr);
815 }
816 switch (info1.status) {
817 case DRSUAPI_DS_NAME_STATUS_OK:
818 break;
819 case DRSUAPI_DS_NAME_STATUS_NOT_FOUND:
820 case DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY:
821 case DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE:
822 return NT_STATUS_NO_SUCH_USER;
823 case DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR:
824 default:
825 return NT_STATUS_UNSUCCESSFUL;
826 }
827
828 *user_dn = ldb_dn_explode(mem_ctx, info1.result_name);
829
830 if (domain_dn) {
831 werr = DsCrackNameOneName(sam_ctx, mem_ctx, 0,
832 DRSUAPI_DS_NAME_FORMAT_CANONICAL,
833 DRSUAPI_DS_NAME_FORMAT_FQDN_1779,
834 talloc_asprintf(mem_ctx, "%s/",
835 info1.dns_domain_name),
836 &info1);
837 if (!W_ERROR_IS_OK(werr)) {
838 return werror_to_ntstatus(werr);
839 }
840 switch (info1.status) {
841 case DRSUAPI_DS_NAME_STATUS_OK:
842 break;
843 case DRSUAPI_DS_NAME_STATUS_NOT_FOUND:
844 case DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY:
845 case DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE:
846 return NT_STATUS_NO_SUCH_USER;
847 case DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR:
848 default:
849 return NT_STATUS_UNSUCCESSFUL;
850 }
851
852 *domain_dn = ldb_dn_explode(mem_ctx, info1.result_name);
853 }
854
855 return NT_STATUS_OK;
856
857 }
858
859 /* Given a Service Principal Name (such as host/foo.bar.com@BAR.COM),
860 * return the user and domain DNs. This is used in the KDC to then
861 * return the Keys and evaluate policy */
862
863 NTSTATUS crack_service_principal_name(struct ldb_context *sam_ctx,
864 TALLOC_CTX *mem_ctx,
865 const char *service_principal_name,
866 struct ldb_dn **user_dn,
867 struct ldb_dn **domain_dn)
868 {
869 WERROR werr;
870 struct drsuapi_DsNameInfo1 info1;
871 werr = DsCrackNameOneName(sam_ctx, mem_ctx, 0,
872 DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL,
873 DRSUAPI_DS_NAME_FORMAT_FQDN_1779,
874 service_principal_name,
875 &info1);
876 if (!W_ERROR_IS_OK(werr)) {
877 return werror_to_ntstatus(werr);
878 }
879 switch (info1.status) {
880 case DRSUAPI_DS_NAME_STATUS_OK:
881 break;
882 case DRSUAPI_DS_NAME_STATUS_NOT_FOUND:
883 case DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY:
884 case DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE:
885 return NT_STATUS_NO_SUCH_USER;
886 case DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR:
887 default:
888 return NT_STATUS_UNSUCCESSFUL;
889 }
890
891 *user_dn = ldb_dn_explode(mem_ctx, info1.result_name);
892
893 if (domain_dn) {
894 werr = DsCrackNameOneName(sam_ctx, mem_ctx, 0,
895 DRSUAPI_DS_NAME_FORMAT_CANONICAL,
896 DRSUAPI_DS_NAME_FORMAT_FQDN_1779,
897 talloc_asprintf(mem_ctx, "%s/",
898 info1.dns_domain_name),
899 &info1);
900 if (!W_ERROR_IS_OK(werr)) {
901 return werror_to_ntstatus(werr);
902 }
903 switch (info1.status) {
904 case DRSUAPI_DS_NAME_STATUS_OK:
905 break;
906 case DRSUAPI_DS_NAME_STATUS_NOT_FOUND:
907 case DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY:
908 case DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE:
909 return NT_STATUS_NO_SUCH_USER;
910 case DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR:
911 default:
912 return NT_STATUS_UNSUCCESSFUL;
913 }
914
915 *domain_dn = ldb_dn_explode(mem_ctx, info1.result_name);
916 }
917
918 return NT_STATUS_OK;
919
920 }
921
922 NTSTATUS crack_dn_to_nt4_name(TALLOC_CTX *mem_ctx,
923 const char *dn,
924 const char **nt4_domain, const char **nt4_account)
925 {
926 WERROR werr;
927 struct drsuapi_DsNameInfo1 info1;
928 struct ldb_context *ldb;
929 char *p;
930
931 /* Handle anonymous bind */
932 if (!dn || !*dn) {
933 *nt4_domain = "";
934 *nt4_account = "";
935 return NT_STATUS_OK;
936 }
937
938 ldb = samdb_connect(mem_ctx, system_session(mem_ctx));
939 if (ldb == NULL) {
940 return NT_STATUS_INTERNAL_DB_CORRUPTION;
941 }
942
943 werr = DsCrackNameOneName(ldb, mem_ctx, 0,
944 DRSUAPI_DS_NAME_FORMAT_FQDN_1779,
945 DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT,
946 dn,
947 &info1);
948 if (!W_ERROR_IS_OK(werr)) {
949 return werror_to_ntstatus(werr);
950 }
951 switch (info1.status) {
952 case DRSUAPI_DS_NAME_STATUS_OK:
953 break;
954 case DRSUAPI_DS_NAME_STATUS_NOT_FOUND:
955 case DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY:
956 case DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE:
957 return NT_STATUS_NO_SUCH_USER;
958 case DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR:
959 default:
960 return NT_STATUS_UNSUCCESSFUL;
961 }
962
963 *nt4_domain = talloc_strdup(mem_ctx, info1.result_name);
964
965 p = strchr(*nt4_domain, '\\');
966 if (!p) {
967 return NT_STATUS_INVALID_PARAMETER;
968 }
969 p[0] = '\0';
970
971 if (p[1]) {
972 *nt4_account = talloc_strdup(mem_ctx, &p[1]);
973 }
974
975 if (!*nt4_account || !*nt4_domain) {
976 return NT_STATUS_NO_MEMORY;
977 }
978
979 return NT_STATUS_OK;
980
981 }
Samba GIT mirror